Friday, June 8, 2012

IPv6 Security: Back to square one?

After enjoying with a IPv6 "Hello World!" and surfing IPv6 a bit during the IPv6 World Launch I've notice something while reading some IPv6 configuration guides available around for Unix. Let me see... Interface definition, tunnel creation, end-point IP, DNS, etc. Everything seems in order but something is missing: The firewall!
With all that rush to set up our new IPv6 connection and after all that time working behind a NAT connection we didn't pay attention to that important element and some machines are plugged-in wide open.
Are just a couple of poorly configured systems or a epidemic? Let's scan the network "old style". Any sequential IPv6 scan approach is not viable due the size of the IPv6 range (2^128) so I took an IP list from this IPv6 database http://flyr.info/ . From there I've got 16839 unique IPv6 addresses. A good sample to test.
With the nc Linux command, the IP list and a loop we have a low cost IP scanner:

I know, some of those machines have those ports open on purpose. But when you see something like these nmap scan results you realise that these are computers without any IP filtering active. And this is not good.

### ### ### IPv6 Maschine to Internet Access ### ### #### Allow outgoing servicespass out on axe0 inet6 proto tcp to any port sshpass out on axe0 inet6 proto tcp to any port smtppass out on axe0 inet6 proto tcp to any port domainpass out on axe0 inet6 proto tcp to any port wwwpass out on axe0 inet6 proto tcp to any port httpspass out on axe0 inet6 proto tcp to any port 122pass out on axe0 inet6 proto tcp to any port ntppass out on axe0 inet6 proto tcp to any port 43

pass out on axe0 inet6 proto udp to any port domainpass out on axe0 inet6 proto udp to any port ntp

### ### ### IPv6 Maschine to Internet Access ### ### #### Allow outgoing servicespass out on axe0 inet6 proto tcp to any port sshpass out on axe0 inet6 proto tcp to any port smtppass out on axe0 inet6 proto tcp to any port domainpass out on axe0 inet6 proto tcp to any port wwwpass out on axe0 inet6 proto tcp to any port httpspass out on axe0 inet6 proto tcp to any port 122pass out on axe0 inet6 proto tcp to any port ntppass out on axe0 inet6 proto tcp to any port 43

pass out on axe0 inet6 proto udp to any port domainpass out on axe0 inet6 proto udp to any port ntp

### ### ### IPv6 Maschine to Internet Access ### ### #### Allow outgoing servicespass out on axe0 inet6 proto tcp to any port sshpass out on axe0 inet6 proto tcp to any port smtppass out on axe0 inet6 proto tcp to any port domainpass out on axe0 inet6 proto tcp to any port wwwpass out on axe0 inet6 proto tcp to any port httpspass out on axe0 inet6 proto tcp to any port 122pass out on axe0 inet6 proto tcp to any port ntppass out on axe0 inet6 proto tcp to any port 43

pass out on axe0 inet6 proto udp to any port domainpass out on axe0 inet6 proto udp to any port ntp